b"September 2005\nReport No. 05-031\n\n\nFDIC\xe2\x80\x99s Information Technology\nConfiguration Management Controls\nOver Operating System Software\n\x0c                                                                                           Report No. 05-031\n                                                                                            September 2005\n\n                                  FDIC\xe2\x80\x99s Information Technology Configuration\n                                  Management Controls Over Operating System\n                                  Software\n\nBackground and                    Results of Audit\nPurpose of Audit\n                                  The FDIC had established and implemented a number of configuration\nThe Federal Deposit Insurance     management controls over its operating system software that were\nCorporation (FDIC) Office of      consistent with federal standards and guidelines and industry-accepted\nInspector General (OIG)           practices. Such controls included a software patch management policy, a\ncontracted with International     change control board, and periodic scanning of operating system software\nBusiness Machines (IBM)           configurations. These actions were positive; however, control\nBusiness Consulting Services      improvements were needed. Specifically, the FDIC needed to establish an\nto audit and report on the        organizational policy and system-specific procedures to ensure proper\neffectiveness of the FDIC\xe2\x80\x99s       configuration of operating system software. The FDIC also needed to\nconfiguration management\n                                  standardize and integrate the recording, tracking, and reporting of\ncontrols over operating system\nsoftware. The results of this\n                                  operating system software configuration changes to the extent practical.\naudit support the OIG in\nfulfilling its evaluation and     Recommendations and Management Response\nreporting responsibilities\nunder the Federal Information     IBM recommends that the FDIC:\nSecurity Management Act.\nConfiguration management is            \xe2\x80\xa2 establish an organizational policy that defines roles,\na critical control for ensuring        responsibilities, and overall principles and management expectations\nthe integrity, security, and           for performing configuration management of operating system\nreliability of information             software;\nsystems. Absent a disciplined\nprocess for managing software          \xe2\x80\xa2 develop configuration management plan(s) that include system-\nchanges, management cannot             specific procedures for managing the configuration of operating\nbe assured that systems will           system software;\noperate as intended, that\nsoftware defects will be\n                                       \xe2\x80\xa2 ensure that the certification and accreditation of the FDIC\xe2\x80\x99s general\nminimized, and that                    support systems incorporate an evaluation and testing of the\nconfiguration changes will be          configuration management policy and plan(s) referenced above;\nmade in an efficient and\n                                       \xe2\x80\xa2 fully document the minimum required configuration settings for the\ntimely manner.\n                                       operating systems covered in this review, and develop procedures to\nThe objective of the audit was         ensure that changes to baseline configuration settings are\nto determine whether the               documented; and\nFDIC had established and\nimplemented configuration              \xe2\x80\xa2 standardize and integrate the recording, tracking, and reporting of\nmanagement controls over its           configuration changes within and across operating system software\noperating system software that         platforms to the maximum extent practical.\nwere consistent with federal\nstandards and guidelines and      FDIC management generally agreed with the report\xe2\x80\x99s recommendations\nindustry-accepted practices.      and has either initiated or plans to initiate actions to address them.\n\nTo view the full report, go to\nwww.fdicig.gov/2005reports.asp\n\x0cFederal Deposit Insurance Corporation                                                               Office of Audits\n801 17th Street NW, Washington, DC 20434                                               Office of Inspector General\n\n\n\n\nDATE:                                  September 8, 2005\n\nMEMORANDUM TO:                         Michael E. Bartell\n                                       Chief Information Officer and\n                                       Director, Division of Information Technology\n\n\n\nFROM:                                  Russell A. Rau [Original signed by Stephen M. Beard for Russell A. Rau]\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               FDIC\xe2\x80\x99s Information Technology Configuration Management\n                                       Controls Over Operating System Software\n                                       (Report No. 05-031)\n\n\nEnclosed is a copy of a report completed by the independent professional services firm of\nInternational Business Machines (IBM) Business Consulting Services. The firm\xe2\x80\x99s report is\npresented as Part I of this document.\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) contracted\nwith IBM to audit and report on the effectiveness of the FDIC\xe2\x80\x99s configuration management\ncontrols over operating system software. The results of this audit support the OIG in fulfilling its\nevaluation and reporting responsibilities under the Federal Information Security Management\nAct of 2002. The objective of the audit was to determine whether the FDIC had established and\nimplemented configuration management controls over its operating system software that were\nconsistent with federal standards and guidelines and industry-accepted practices. The audit\nfocused on four of the FDIC\xe2\x80\x99s operating system software platforms used to support sensitive and\nmission-critical business applications. This report provides recommendations to strengthen\nconfiguration management controls over the FDIC\xe2\x80\x99s operating system software.\n\nOur evaluation of your response, a summary of your response and the status of corrective\nactions, and your response in its entirety is contained in Part II of this report. The response\nadequately addressed the recommendations in the report. We consider the report\xe2\x80\x99s\nrecommendations to be resolved, but they will remain undispositioned and open for reporting\npurposes until we have determined that agreed-to corrective actions have been completed and are\neffective.\n\x0c                                                 Table of Contents\n\n\n\nPart I:\n\n           Report by International Business Machines (IBM) Business\n           Consulting Services\n\n           FDIC\xe2\x80\x99s Information Technology Configuration Management Controls\n           Over Operating System Software ...............................................................................I-1\n\n\nPart II:\n\n           Corporation Comments and OIG Evaluation............................................................ II-1\n\n           Management Response to Recommendations .......................................................... II-4\n\n           Corporation Comments............................................................................................. II-6\n\x0c                  Part I\n\nReport by IBM Business Consulting Services\n\x0cIBM Business Consulting Services\n\n\n\nFDIC\xe2\x80\x99s Information Technology\nConfiguration Management Controls\nOver Operating System Software\n\nReport No. 05-031\n\n\n\n\nPrepared for the\nFederal Deposit Insurance Corporation\nOffice of Inspector General\n\n\n\n\nSubmitted by: IBM Business Consulting Services\n              Security, Privacy, & Wireless\n              12902 Federal Systems Park Drive\n              Fairfax, VA 22033\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General     I-i\n\n\n\n                                          Table of Contents\nSection                                                                              Page\n1. Executive Summary                                                                    1\n\n2. Background                                                                           3\n\n3. Detailed Finding\n    Configuration Management Controls for Operating System Software                     7\n\nAppendix A: Objective, Scope, and Methodology                                          14\n\nAppendix B: Additional Information on the Capability Maturity Model Integration        16\n\nAppendix C: Laws and Regulations                                                       18\n\nAppendix D: Acronyms                                                                   19\n\nAppendix E: Glossary of Terms                                                          20\n\n\n                                             List of Tables\n                                                                                     Page\nTable 1: Operating System Software Platforms Reviewed                                   5\nTable 2: CMMI Bodies of Knowledge                                                      16\nTable 3: Capability Levels (Continuous Representation)                                 17\n         Excerpts from the CMMI\n\n\n\n\n                                            List of Exhibits\n                                                                                     Page\nExhibit 1:   Software Configuration Management Principles of the CMMI                   3\nExhibit 2:   Change Management Process Steps                                            4\nExhibit 3:   Configuration Identification                                               7\nExhibit 4:   Configuration Control                                                      8\nExhibit 5:   Configuration Accounting                                                   9\nExhibit 6:   Configuration Auditing                                                     9\nExhibit 7:   Windows\xc2\xae Server and Desktop Software Configuration Changes                11\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                       I-1\n\n\n\n1.          Executive Summary\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) contracted\nwith International Business Machines (IBM) Business Consulting Services (hereafter referred to\nas IBM) to audit and report on the effectiveness of the FDIC\xe2\x80\x99s configuration management\ncontrols over operating system software. Federal agencies are required by the Federal\nInformation Security Management Act of 2002 (FISMA)1 to establish and implement minimally\nacceptable configuration requirements for their information systems. In addition, agency Chief\nInformation Officers (CIO) and Inspectors General are required by Office of Management and\nBudget (OMB) policy to assess and report on the implementation of agency configuration\nmanagement controls as part of their annual FISMA reviews and evaluations. The results of this\naudit support the OIG in fulfilling its evaluation and reporting responsibilities under FISMA.\nIBM conducted its work in accordance with generally accepted government auditing standards.\nThe objective of the audit was to determine whether the FDIC had established and implemented\nconfiguration management controls over its operating system software that were consistent with\nfederal standards and guidelines and industry-accepted practices. The scope of the audit focused\non four of the FDIC\xe2\x80\x99s operating system software platforms: (1) Microsoft Windows\xc2\xae for\nservers, (2) Microsoft Windows\xc2\xae for desktop (and laptop) computers, (3) Sun Microsystems,\nInc.\xe2\x80\x99s Solaris\xe2\x84\xa2 for servers, and (4) Cisco IOS\xc2\xae for telecommunications. IBM chose these four\nplatforms because they support many of the FDIC\xe2\x80\x99s sensitive and mission-critical business\napplications. IBM used the National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-53, Recommended Security Controls for Federal Information Systems, and\nthe Capability Maturity Model Integration (CMMI)2 developed by Carnegie Mellon University\xe2\x80\x99s\nSoftware Engineering Institute (SEI) as the primary criteria for conducting the audit. IBM chose\nthe CMMI because it defines a generally accepted set of software configuration management\nprinciples, and the FDIC\xe2\x80\x99s Division of Information Technology (DIT) has embraced the CMMI\nas a means of achieving process improvement. The recommendations contained in this report\nare designed to promote compliance with federal standards and guidelines and further the\nFDIC\xe2\x80\x99s goal of achieving CMMI process improvements.\nA detailed description of the audit\xe2\x80\x99s scope and methodology is contained in Appendix A.\nAppendix D contains a list of acronyms, and Appendix E contains a glossary of terms used in the\nreport.\nResults of the Audit\nDIT established and implemented a number of configuration management controls over its\noperating system software that were consistent with federal standards and guidelines and\nindustry-accepted practices. Such controls included a software patch management policy, a\n\n\n1\n    Appendix C contains additional information on the laws and regulations referenced in this report.\n2\n    CMMI Version 1.1 for Systems Engineering, Software Engineering, Integrated Product and Process Development, and\n    Supplier Sourcing (Continuous Representation), dated March 2002. The CMMI is a process improvement\n    methodology that defines six capability levels reflecting an organization\xe2\x80\x99s ability to perform, control, and improve its\n    performance. Appendix B contains additional information on the CMMI. CMMI is a service mark of Carnegie Mellon\n    University.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                       I-2\n\n\n\nFDIC Infrastructure Change Control Board,3 and periodic scanning of operating system software\nconfigurations. Such actions were positive; however, control improvements were needed.\nSpecifically, DIT needed to establish an organizational policy and system-specific procedures to\nensure proper configuration management of operating system software. DIT also needed to\nstandardize and integrate the recording, tracking, and reporting of operating system software\nconfiguration changes to the extent practical. Collectively, these control weaknesses limited the\nFDIC\xe2\x80\x99s assurance that its configuration management practices were efficient and effective and\nthat systems were configured to minimize the risk of security vulnerabilities and service\ninterruptions. A summary of IBM\xe2\x80\x99s recommendations follows.\nSummary Recommendations\nIBM recommends that the FDIC CIO:\n       \xe2\x80\xa2    Establish a policy that takes an enterprise approach to defining the roles, responsibilities,\n            and overall principles and management expectations for performing configuration\n            management on operating system software. The policy should address requirements for\n            developing and maintaining configuration management plans and performing periodic\n            self-assessments of configuration management processes and practices.\n       \xe2\x80\xa2    Develop configuration management plan(s) covering the four operating system software\n            platforms addressed in this report consistent with federal standards and guidelines and\n            industry-accepted practices. DIT should determine whether other operating system\n            software platforms require configuration management plan(s) and develop such plans\n            where appropriate.\n       \xe2\x80\xa2    Ensure that the certification and accreditation of the FDIC\xe2\x80\x99s general support systems\n            incorporate an evaluation and testing of the FDIC\xe2\x80\x99s configuration management policy\n            and plans referenced in recommendations 1 and 2 of this report.\n       \xe2\x80\xa2    Document the minimum required configuration settings for the Windows\xc2\xae server and\n            desktop operating system platforms, and develop procedures to ensure that changes to\n            baseline configuration settings are documented.\n       \xe2\x80\xa2    Standardize and integrate the recording, tracking, and reporting of operating system\n            software configuration changes to the maximum extent practical. As part of this effort,\n            DIT should consider using automated mechanisms to improve performance metric\n            reporting for configuration changes from a system-specific and enterprise perspective.\n\n\n\n\n3\n    DIT established the FDIC Infrastructure Change Control Board in February 2005 to formally review and approve\n    changes to the information technology infrastructure and technical architecture; ensure that changes are well planned,\n    communicated, and coordinated; and manage the change control process.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                       I-3\n\n\n\n2.          Background\nKey to ensuring the integrity, security, and reliability of any information system is implementing\nstructured processes for managing the inevitable changes that will occur during the system\xe2\x80\x99s life\ncycle. Such processes, collectively referred to as configuration management, include evaluating,\nauthorizing, testing, tracking, reporting, and verifying both hardware- and software-related\nchanges. Typical changes that should be subject to formal configuration management in the\noperating system software environment include the installation of security patches that address\nknown vulnerabilities, programs that support system maintenance, and upgrades (referred to as\n\xe2\x80\x9cservice packs\xe2\x80\x9d) that improve system performance, security, and functionality. Without\ndisciplined processes for controlling software changes, management cannot be assured that its\nsystems will operate as intended, that software defects will be minimized, or that systems\nmaintenance will be performed in a cost-effective or timely manner.\nA number of internationally recognized software configuration management standards are in\nwide use today. These include standards published by the SEI,4 Project Management Institute,\nAmerican National Standards Institute/Institute of Electrical and Electronic Engineers, and\nInternational Organization for Standardization. IBM selected SEI\xe2\x80\x99s CMMI as a key criterion for\nconducting the audit because the CMMI defines\ngenerally accepted software configuration management Exhibit 1: Software Configuration\nprinciples, and DIT has embraced the CMMI as a means Management Principles of the CMMI\nof achieving information technology (IT) process\nimprovement. In addition, the configuration\nmanagement principles embodied in the CMMI are\nconsistent with the configuration management security\ncontrols defined in NIST SP 800-53 for non-national\nsecurity federal information systems. Exhibit 1 depicts\nthe software configuration management principles of the\nCMMI. These four principles are based on the best\npractices of carefully chosen disciplines, including\nsystems analysis and design and software engineering.\nIBM\xe2\x80\x99s audit results are organized around these four\nfundamental principles, which are described in greater\ndetail below.                                              Source: IBM Analysis of the CMMI.\n\nConfiguration Identification involves the establishment of baseline configurations for \xe2\x80\x9cwork\nproducts\xe2\x80\x9d that are subject to configuration management. Typical work products subject to\nconfiguration management within the operating system environment include software, such as\nthe system itself and its component parts, and documents, such as server and desktop build\nprocedures, systems inventories, and configuration management plans. Establishing and\nenforcing baseline configurations is critical to reducing software maintenance costs and ensuring\nsecure and reliable systems. For example, without a baseline configuration for desktop operating\nsystems, such as Microsoft Windows\xc2\xae XP Professional Service Pack 2, organizations would\n\n\n4\n    SEI is a federally funded software engineering research and development center sponsored by the Department of\n    Defense. Founded in 1984, SEI\xe2\x80\x99s mission is to assist organizations in improving their software engineering capabilities.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                          I-4\n\n\n\nexpend excessive time and resources patching, troubleshooting, and testing changes for earlier\ndesktop versions of Windows\xc2\xae, such as Windows\xc2\xae XP Professional Service Pack 1. Baseline\nconfigurations serve as the basis for future development and should be modified only through the\nchange control processes described under Configuration Control below.\nConfiguration Control is the heart of\n                                                   Exhibit 2: Change Management Process\nconfiguration management because it involves\n                                                   Steps\nimplementing a change management system\nto systematically control and monitor changes\nto the baseline configurations established\nunder Configuration Identification. A change\nmanagement system consists of policies,\nprocedures, automated tools, and other\ncontrols for performing the change\nmanagement process steps depicted in\nExhibit 2. Configuration Control ensures that\nproposed software changes are properly\nevaluated for compliance with applicable           Source: IBM Analysis of the CMMI.\nstandards, assessed and tested to avoid\npotential disruptions or compromise of system security, approved or disapproved by appropriate\nauthorities, verified upon completion, and reflected in baseline configurations.\nConfiguration Status Accounting is the recording and reporting of configuration management\nactivities in sufficient detail to provide stakeholders with information needed to manage their\nwork products. Such information can include metrics such as the number of in-process and\ncompleted configuration changes at a particular point in time, the average time spent processing\nhigh-priority or low-priority changes, and the number of changes that address new requirements\nor defects in work products.5 By performing trend analysis of such metrics, management can\nidentify potential problems in its configuration management processes. Configuration Status\nAccounting information is used to make important policy, resource, and budget decisions and\nassists managers in determining whether configuration management processes and practices are\nefficient, effective, and achieving intended results. Due to the complexity and volume of\nconfiguration changes associated with operating system software, many organizations use\nautomated configuration management tools to centrally track, record, and report the status of\nconfiguration changes.\n\nConfiguration Auditing involves the self-assessment of an organization\xe2\x80\x99s configuration\nmanagement activities and processes to determine whether controls function as intended. Such\nself-assessments provide management with assurance that baseline configurations and related\ndocumentation are current, accurate, and complete and that implemented changes can be traced\n\n\n\n5\n    Examples of configuration changes resulting from defects in work products include (1) the redeployment of a software\n    patch because the original deployment did not successfully install on all target servers or workstations or (2) corrective\n    actions to address a software functionality problem caused by incompatibility. Tracking such changes is important\n    because they could be an indication of inadequate testing or other configuration management problems.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                        I-5\n\n\n\nto original requirements. The results of configuration management audits can be subject to\nreview by independent third parties.\nRoles and Responsibilities for Operating System Software\nDIT has overall responsibility for maintaining the configuration of the FDIC\xe2\x80\x99s operating system\nsoftware. Responsibility for maintaining the configuration of individual operating system\nsoftware platforms is shared among two branches and several sections within DIT\xe2\x80\x99s\nInfrastructure Services (IS). Table 1 below identifies the four operating system software\nplatforms selected for the audit, along with a brief description of the platform and the IS section\nwith primary responsibility for its configuration.\nTable 1: Operating System Software Platforms Reviewed\n\n    Operating                                                                         IS Branch/Section\n System Software                          General Description                           With Primary\n     Platform                                                                           Responsibility\n Microsoft               Windows\xc2\xae 2000 Advance Server is the standard                Software Support\n Windows\xc2\xae for            operating system in the network server environment.*        Branch, Server\n Servers                 The Windows\xc2\xae server platform supports network-              Software Section\n                         based applications, such as the New Financial               Operations Branch,\n                         Environment and FDICconnect, as well as IT services         LAN Management\n                         for managing the network.                                   Section\n Microsoft               Windows\xc2\xae XP Professional is the standard operating          Software Support\n Windows\xc2\xae for            system in the desktop computer environment.                 Branch, Client\n Desktop (and            Windows\xc2\xae XP Professional primarily supports user            Software Section\n Laptop)                 productivity tools, such as the Internet Explorer and       Operations Branch,\n Computers               Microsoft Office Suite.                                     LAN Management\n                                                                                     Section\n Sun Microsystems,       Solaris\xe2\x84\xa2 is the standard operating system in the            Software Support\n Inc., Solaris\xe2\x84\xa2          UNIX\xc2\xae environment. Solaris\xe2\x84\xa2 supports core IT                Branch, Server\n                         infrastructure services, such as the Public Key             Software Section\n                         Infrastructure, and a number of business applications,      Operations Branch,\n                         such as the Overarching Automation System and               Telecommunications\n                         Corporate Human Resources Information System                Section\n                         Time and Attendance system.\n Cisco IOS\xc2\xae              Cisco IOS\xc2\xae supports the routing, message processing,        Operations Branch,\n                         and protocol interfaces needed to transfer data over        Telecommunications\n                         the FDIC\xe2\x80\x99s LANs, metropolitan area networks, and            Section\n                         wide area network.\n\n* At the time of our audit, DIT supported a limited number of servers operating the Windows NT\xc2\xae and\n  Windows\xc2\xae 2003 operating systems.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                     I-6\n\n\n\nRecent Control Improvements\nDIT has taken a number of recent actions to strengthen its configuration management controls\nover operating system software, and additional improvements were underway during the audit.\nOf particular note, DIT issued a formal patch management policy,6 established the FDIC\nInfrastructure Change Control Board, and strengthened its security vulnerability scanning\ntechniques7 for network devices. DIT also established a new performance-based contracting\nstructure in September 2004 that included a service-level agreement to achieve CMMI process\nimprovement in infrastructure operations (including software configuration management). In\naddition, DIT was working to improve the integrity of patch information reported by the\nMicrosoft Systems Management Server (SMS) 20038 and implement Symantec\xe2\x80\x99s Enterprise\nSecurity Manager on the FDIC\xe2\x80\x99s IT infrastructure to better monitor the configuration of\nWindows\xc2\xae servers. While such improvements promote an enterprise-wide approach to\nperforming configuration management, additional controls are needed to ensure proper\nmanagement of operating system software configuration.\n\n\n\n\n6\n  DIT Policy Memorandum 04-004, Policy on Security Patch Management, dated April 15, 2004.\n7\n  DIT began using the Harris Corporation\xe2\x80\x99s Security Threat Avoidance Technology (STAT\xc2\xae) vulnerability assessment\n  scanner in December 2004.\n8\n  SMS is a key configuration management tool used on the Windows\xc2\xae server and desktop computing platforms. DIT\n  uses SMS to remotely scan devices on these software platforms, inventory installed software, distribute security patches\n  and other software, and generate reports on installed/uninstalled software.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                     I-7\n\n\n\n3.          Detailed Finding: Configuration Management Controls for Operating\n            System Software\nCONDITION\nDIT established and implemented a number of configuration management controls over its\noperating system software that were consistent with federal standards and guidelines and\nindustry-accepted practices. Such controls included a software patch management policy, an\nFDIC Infrastructure Change Control Board, and periodic scanning of operating system software\nconfigurations. Such actions were positive; however, control weaknesses existed relating to each\nof the four configuration management principles defined in the CMMI. A description of these\nweaknesses follows.\nConfiguration Identification                                                  Exhibit 3: Configuration Identification\n\nDIT used a number of key work products, such as server\nand desktop build procedures, ghost imaging procedures,\nsoftware image files, and system inventories, to manage the\nconfiguration of the four operating system software\nplatforms that we reviewed. DIT had not subjected these\nwork products to formal configuration management, as\ndefined by the CMMI, to ensure that they were current,\naccurate, and complete. Specifically, DIT had not\ndeveloped procedures for (1) identifying work products\nthat should be subject to configuration management,            Source: IBM Analysis of the CMMI.\n(2) designating responsibility for maintaining current and historical versions of work products,\n(3) designating authority to approve changes to work products, and (4) determining when work\nproducts should be revised.9 Such procedures are typically documented in a configuration\nmanagement policy and/or system configuration management plan(s).\n\nDIT defined configuration procedures in various documents but had not documented procedures\nfor the ongoing identification and documentation of minimum custom baseline configuration\nsettings applicable to the Windows\xc2\xae server and desktop operating system platforms. Custom\nconfiguration settings include, for example, registry permissions, Internet Explorer settings, local\nsystem security settings, and unnecessary computer services that should be disabled or\nuninstalled. In OIG Audit Report No. 05-016 entitled, Audit of Security Controls Over the\nFDIC\xe2\x80\x99s Electronic Mail Infrastructure, dated March 31, 2005, IBM noted that DIT had not\ndocumented procedures for disabling unnecessary computer services on Exchange e-mail servers\nwhen appropriate. Based on a sample of 15 e-mail servers, IBM identified 6 computer services\nthat had been enabled but were not required for processing e-mail. The six unnecessary\ncomputer services presented a potential security risk because they could have been exploited by a\nvirus, worm, or other malicious program to damage the FDIC\xe2\x80\x99s IT resources.\n\n9\n    Organizations can use different criteria for determining when a work product subject to configuration management\n    should be revised. For example, an organization may require that its desktop build procedures and associated software\n    image files be updated only following a major operating system upgrade, while another organization may require\n    updates to these same work products periodically, such as monthly.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                    I-8\n\n\n\nConfiguration Control                                                             Exhibit 4: Configuration Control\n\nDIT had not standardized or integrated its processes for\ntracking and recording configuration changes within or across\nits operating system software platforms to ensure that such\nchanges were properly controlled, accounted for, and reported.\nFor example, software-related changes10 for one of four\noperating system software platforms reviewed (i.e., Windows\xc2\xae\nserver) were documented using standard forms that were stored\nin a central location. However, hardware-related changes11 for\nthis same platform were neither recorded using a standard form\nnor stored in a central repository. In order to obtain            Source: IBM Analysis of the CMMI.\ninformation about hardware-related changes for this platform,\nsuch as when a change was made, who implemented a change, testing that was performed for a\nchange, or who verified a change, IBM had to speak with systems personnel with first-hand\nknowledge of the changes. Configuration changes for another of the four operating system\nsoftware platforms (i.e., Sun Microsystems, Inc.\xe2\x80\x99s Solaris\xe2\x84\xa2 for servers) were either managed\nthrough an automated change management tool12 or recorded in various Microsoft Word\ndocuments, depending on which IS branch and section had responsibility for the servers affected\nby the change.\nAlthough DIT had developed test plans and roll-back plans13 for its major operating system\nupgrades, test plans and roll-back plans were generally not documented for other configuration\nchanges. Although IS personnel stated that they had tested configuration changes before they\nwere implemented, test plans and test results were not documented for 22 of 25 judgmentally\nselected configuration changes to the four operating system software platforms. In addition, 21\nof 25 configuration changes did not have a documented roll-back plan. Test plans, roll-back\nplans, and test results are important for ensuring that configuration changes function as intended\nand have no negative impact on IT operations. In January 2005, several hundred FDIC users\nwere unable to access their Outlook e-mail for several days following an unsuccessful\nconfiguration change to a key e-mail server. IBM noted that DIT had not documented a test\nplan, test results, or roll-back plan for this configuration change. Test results also document\nsystem incompatibilities and management\xe2\x80\x99s rationale for making specific configuration\ndecisions. The level of documentation needed for test plans, roll-back plans, and test results\nshould be based on the risk and complexity of a configuration change and could be as simple as a\ncompleted checklist or memorandum.\n\n\n\n10\n   Software-related changes include, for example, the installation or removal of items such as service packs, security\n patches, and software programs.\n11\n   Hardware-related changes include, for example, the installation or removal of items such as network interface cards\n and server hard drives. Hardware-related changes can directly impact the performance of operating system software.\n12\n   The tool used was the FDIC Change Management System (FCMS). FCMS has formal automated workflow process\n capabilities, such as the ability to track, record, and report configuration change requests.\n13\n   Sometimes referred to as a \xe2\x80\x9cback-out plan,\xe2\x80\x9d a roll-back plan describes the system recovery steps to be followed should\n a configuration change cause an unexpected, negative effect on an organization\xe2\x80\x99s IT operations.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                I-9\n\n\n\nConfiguration Accounting                                                   Exhibit 5: Configuration Accounting\n\nDIT collected and reported configuration status information\non the four operating system software platforms that we\nreviewed through a variety of means, including the FDIC\nInfrastructure Change Control Board meetings, SMS\nreports on patch deployments, and software scanning\ntechniques. However, DIT did not track or report key\nconfiguration management metrics within or across its\noperating system software platforms. Such metrics could\ninclude, for example, the number of in-process and            Source: IBM Analysis of the CMMI.\ncompleted configuration changes, the status of in-process\nchanges, or the average amount of time (i.e., speed) to implement high-priority versus low-\npriority changes. In addition, because DIT did not classify configuration changes as addressing\nnew requirements or defects in work products, DIT was unable to determine the amount of effort\nexpended to enhance software versus correct problems.\nConfiguration Auditing                                                       Exhibit 6: Configuration Auditing\n\nDIT used various automated tools to evaluate the\nconfiguration of its operating system software,14 but had not\ndeveloped self-assessment procedures for determining\nwhether configuration management controls functioned as\nintended. Developing self-assessment procedures is a\nrecognized practice in configuration management and could\nbe used to detect or prevent the types of process weaknesses\nidentified in this report. Common self-assessment procedures\ninclude evaluating the integrity of key work products subject\n                                                                Source: IBM Analysis of the CMMI.\nto configuration management; determining whether change\nrequest documentation is current, accurate, and complete; inspecting configuration changes for\ncompliance with applicable policies, procedures, and guidelines; and verifying that configuration\nchanges have been implemented as intended.\nCAUSE\nSeveral causes contributed to the control weaknesses in DIT\xe2\x80\x99s configuration management\nprocesses and practices as discussed below.\nOrganizational Policy and System-Specific Procedures\nCircular 1320.4, FDIC Software Configuration Management Policy, dated July 8, 2003,\nestablishes key roles and responsibilities, management expectations, and requirements for\nconfiguration management (including the need for configuration management plans, reviews of\nconfiguration management processes, and the use of automated configuration management\ntools). However, the circular is limited to application software and does not address operating\n\n14\n  Such tools included SMS, the Foundstone vulnerability scanner, the Harris Corporation\xe2\x80\x99s STAT scanner, and the\n Shavlik patch scanner.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                       I-10\n\n\n\nsystem software. An organizational configuration management policy should define overall\nprinciples and expectations for performing operating system software configuration management\nand the associated roles and responsibilities of key personnel and organizational components,\nsuch as system engineers, administrators, and the FDIC Infrastructure Change Control Board.\nThe policy should also address, and be a critical component of, the certification and accreditation\nprocess for operating system software.15 An organizational policy is an important component of\nan enterprise approach to software configuration management.\nDIT documented a number of its configuration management practices in various policies and\nprocedures and established the FDIC Infrastructure Change Control Board to oversee\nconfiguration changes to the FDIC\xe2\x80\x99s operating system software. However, DIT had not\ndeveloped configuration management plan(s) for any of the four operating system software\nplatforms that IBM audited. Configuration management plans are a fundamental control for\nmaintaining proper configuration of information systems because the plans define procedures for\nevaluating, classifying, authorizing, testing, documenting, and verifying configuration changes.\nThese plans also define the system-specific roles and responsibilities (including controls for\nensuring appropriate separation of duties) of key stakeholders and procedures for identifying,\nmaintaining, and updating work products subject to configuration management. In addition,\nconfiguration management plans can describe the type and frequency of configuration status\ninformation to be tracked and reported to management, training requirements for key personnel,\nand requirements for conducting self-assessments of configuration management controls.\nConfiguration management plans are an important component of system certification and\naccreditation. Because systems vary in complexity and design, configuration management plans\nshould be tailored to the requirements of individual systems.\nAutomated Workflow Processes\nThe lack of standardization and integration in DIT\xe2\x80\x99s practices of recording, tracking, and\nreporting system configuration changes was caused primarily by a lack of automated workflow\nprocesses using configuration management tools. System change requests for three of four\noperating system software platforms reviewed were not managed with an automated workflow\nprocess tool. Although DIT used a workflow process tool to manage change requests on the\nremaining platform (i.e., Sun Microsystems, Inc.\xe2\x80\x99s Solaris\xe2\x84\xa2 for servers), the tool was not used to\ntrack all change requests on the platform. In addition, system change requests for two other\nplatforms (i.e., Windows\xc2\xae server and desktop) were generally stored in Outlook e-mail folders\nand Microsoft Word documents rather than in a central repository that could be used for tracking,\nreporting, or interfacing with other corporate systems, such as REMEDY\xc2\xae.16 The lack of\nautomated workflow processes using configuration management tools contributed to the absence\nof meaningful configuration management metrics discussed earlier.\n\n15\n   Accreditation is the official management decision given by a senior agency official to authorize operation of an\n information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the\n implementation of an agreed-upon set of security controls. Certification is a comprehensive assessment of the\n management, operational, and technical security controls in an information system, made in support of security\n accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and\n producing the desired outcome with respect to meeting the security requirements for the system.\n16\n   REMEDY is used to track trouble tickets and IT hardware inventory.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                 I-11\n\n\n\nExhibit 7 illustrates the combined number    Exhibit 7: Windows\xc2\xae Server and Desktop\nof application and infrastructure            Software Configuration Changes\nconfiguration changes affecting two of the\nfour operating system software platforms\nthat IBM reviewed.17 An automated\nworkflow process tool to manage such a\nlarge number of configuration changes\noffers many advantages, such as defined\nbusiness processes built into the tool that\npromote consistent, auditable, and\nrepeatable change control practices.\nConfiguration requirements can vary from\nsystem to system. Therefore, a single\nautomated workflow process tool may not      Source: Analysis of DIT\xe2\x80\x99s Windows\xc2\xae Implementation\nsatisfy all configuration management needs. Announcements Outlook E-Mail Folders.\nSelecting a workflow process tool should\nbe based on an assessment of DIT\xe2\x80\x99s\nexisting information systems and commercially available software products.\nCRITERIA\nThe CMMI, NIST, and OMB have established a number of guiding principles for effective\nsoftware configuration management as discussed below.\nOrganizational Policy and System-Specific Procedures\nThe CMMI identifies an organizational configuration management policy as an important control\nfor effectively planning and performing software configuration management. According to the\nCMMI, the configuration management policy defines organizational expectations for\nestablishing and maintaining configuration baselines and tracking and controlling changes to\nwork products subject to configuration management. Additionally, NIST SP 800-53 references a\n\xe2\x80\x9cformal, documented, configuration management policy that addresses purpose, scope, roles,\nresponsibilities, and compliance [i.e., self-assessments]\xe2\x80\x9d as a recommended security control for\nprotecting federal information systems.\nA key practice in the CMMI is performing periodic audits (i.e., self-assessments) of\nconfiguration management activities and processes to ensure the integrity of baseline\nconfigurations and related documentation. Self-assessments evaluate compliance with applicable\nconfiguration management standards and procedures and verify the integrity of items in the\nconfiguration management system based on requirements documented in the configuration\nmanagement plan. In addition, NIST SP 800-53 recognizes audit activities associated with\nconfiguration changes to federal information systems as a recommended security practice.\nThe CMMI recognizes the importance of establishing and maintaining a configuration\nmanagement plan. According to the CMMI, an important configuration management practice is\n\n17\n  IBM was unable to determine the number of configuration changes relating to the infrastructure because infrastructure\n changes were not stored separately from application changes.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                      I-12\n\n\n\nidentifying work products that will be subject to configuration management based on\ndocumented criteria and designating individuals responsible for work product maintenance.\nNIST SP 800-53 identifies a configuration management plan as a recommended security control\nfor protecting federal information systems. The NIST publication also references \xe2\x80\x9cformal,\ndocumented procedures to facilitate the implementation of the configuration management policy\nand associated configuration management controls\xe2\x80\x9d as a component of a security control\nstructure. In addition, NIST SP 800-37, Guide for the Security Certification and Accreditation of\nFederal Information Systems, notes that configuration management plans are a key security-\nrelated document that can be part of the security accreditation package. The Computer Security\nDivision of NIST maintains examples of configuration management plans for operating system\nsoftware at its Web site http://csrc.nist.gov/fasp under the link entitled \xe2\x80\x9cFASP Areas.\xe2\x80\x9d18\nFurther, NIST SP 800-53 recognizes the importance of maintaining an organization-defined list\nof prohibited computer services and configuring IT products to the most restrictive mode\nconsistent with system operational requirements. In addition, NIST SP 800-70, The NIST\nSecurity Configuration Checklists Program, contains detailed guidance that should be used when\nconfiguring operating system software settings.\nAutomated Workflow Processes\nThe CMMI addresses the importance of establishing and maintaining a change management\nsystem to store, update, and retrieve configuration management records and other work products\nsubject to configuration management. The change management system includes a change\nrequest database wherein change requests are initiated and recorded and configuration\nmanagement reports are generated. NIST SP 800-53 states that organizations should employ\nautomated mechanisms to (i) document proposed changes to the system, (ii) notify appropriate\napproval authorities, (iii) identify approvals that have not been received in a timely manner,\n(iv) inhibit change until necessary approvals are received, and (v) document completed changes\nto the information system. NIST SP 800-53 also recognizes that organizations should employ\nautomated mechanisms to maintain an up-to-date, complete, accurate, and readily available\nbaseline configuration. Automating change control practices is also consistent with DIT\xe2\x80\x99s\ninfrastructure services contract, which requires contractor personnel, whenever possible and\npractical, to consolidate IT platforms and operations, integrate infrastructure requirements into\nefficient and effective solutions, and capture and deliver information in real or near-real time\nusing electronic means.\nOMB Circular No. A-130, Management of Federal Information Resources, dated November 28,\n2000, requires agencies to institute performance measures and management processes that\nmonitor actual performance against expected results. The CMMI describes various types of\nconfiguration metrics, such as the status of change requests and number of change requests\nrelated to software defects, that are part of configuration management. Such metrics would be a\nvaluable asset to DIT management in evaluating the performance of the FDIC\xe2\x80\x99s IT infrastructure\nservices contractors.\n\n18\n  Federal Agency Security Practices (FASP). The FASP effort was initiated as a result of the success of the Federal\n CIO Council\xe2\x80\x99s Federal Best Security Practices pilot effort to identify, evaluate, and disseminate best practices for\n critical infrastructure protection and security.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General               I-13\n\n\n\nEFFECT\nThe lack of an organizational policy and system-specific configuration management procedures\nlimited the FDIC\xe2\x80\x99s assurance that its information systems were configured to minimize the risk\nof security vulnerabilities and IT service interruptions. Absent appropriate policies and\nprocedures, DIT is overly dependent on the knowledge and experience of individual system\nengineers and administrators to maintain minimum baseline configuration settings consistently\nacross platforms. The lack of automated workflow processes impaired DIT\xe2\x80\x99s ability to\nefficiently and effectively manage system configuration changes throughout the systems\xe2\x80\x99 life\ncycle and to report meaningful configuration metrics to management. In addition, the lack of\nperiodic self-assessments of configuration management controls limited DIT\xe2\x80\x99s assurance that key\nwork products were current, accurate, and complete and that configuration management\nprocesses were efficient, effective, and achieving intended results.\nRECOMMENDATIONS\nIBM recommends that the FDIC CIO:\n    1. Establish a policy that takes an enterprise approach to defining the roles, responsibilities,\n       and overall principles and management expectations for performing configuration\n       management on operating system software. The policy should address requirements for\n       developing and maintaining configuration management plans and performing periodic\n       self-assessments of configuration management processes and practices.\n    2. Develop configuration management plan(s) covering the four operating system software\n       platforms addressed in this report consistent with federal standards and guidelines and\n       industry-accepted practices. DIT should determine whether other operating system\n       software platforms require configuration management plan(s) and develop such plans\n       where appropriate.\n    3. Ensure that the certification and accreditation of the FDIC\xe2\x80\x99s general support systems\n       incorporate an evaluation and testing of the FDIC\xe2\x80\x99s configuration management policy\n       and plans referenced in recommendations 1 and 2 of this report.\n    4. Document the minimum required configuration settings for the Windows\xc2\xae server and\n       desktop operating system platforms and develop procedures to ensure that changes to\n       baseline configuration settings are captured and documented.\n    5. Standardize and integrate the recording, tracking, and reporting of operating system\n       software configuration changes to the maximum extent practical. As part of this effort,\n       DIT should consider using automated mechanisms to improve performance metric\n       reporting for configuration changes from a system-specific and enterprise perspective.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                             I-14\n\n\n\nAPPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to determine whether the FDIC had established and implemented\nconfiguration management controls over its operating system software that were consistent with\nfederal standards and guidelines and industry-accepted practices. The scope of the audit focused\non four operating system software platforms: (1) Microsoft Windows\xc2\xae for servers,19 (2)\nMicrosoft Windows\xc2\xae for desktop (and laptop) computers, (3) Sun Microsystems, Inc.\xe2\x80\x99s Solaris\xe2\x84\xa2\nfor servers, and (4) Cisco IOS\xc2\xae for telecommunications. IBM chose these four platforms\nbecause they support many of the FDIC\xe2\x80\x99s sensitive and mission-critical business applications.\nThe audit did not include an evaluation of the FDIC\xe2\x80\x99s configuration management controls over\napplications running on the four operating system software platforms because DIT was\nperforming an internal assessment of application configuration management controls.\n\nTo accomplish the audit objective, IBM interviewed key DIT personnel who had responsibility\nfor maintaining the configuration of the four operating system software platforms. IBM\nreviewed relevant FDIC policies, procedures, and guidelines and evaluated key documents and\nreports, such as server and desktop build procedures, system security plans, and DIT\xe2\x80\x99s Daily\nReports for Technical Infrastructure. IBM also reviewed DIT\xe2\x80\x99s security self-assessment\nprocedures that were designed to ensure the secure configuration of the four selected platforms.\nIn addition, IBM evaluated DIT\xe2\x80\x99s change control procedures for each of the four platforms by\ntesting a judgmental sample of configuration changes. Using source documentation and DIT\xe2\x80\x99s\nautomated systems of record, IBM determined whether selected configuration changes had been\nproperly authorized, evaluated, tested, tracked, implemented, and reported. IBM coordinated its\nwork with an ongoing DIT internal assessment of the security patch management process for\ndesktop computers.\n\nIBM used NIST SP 800-53, Recommended Security Controls for Federal Information Systems,\nand the configuration management principles defined in the CMMI, developed by Carnegie\nMellon University\xe2\x80\x99s SEI, as the primary criteria for conducting the audit. In addition, IBM used\nrelevant provisions of the Government Accountability Office\xe2\x80\x99s Federal Information System\nControls Audit Manual20 and NIST SP 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems, as supplemental criteria. The OIG evaluated the\nnature, timing, and extent of work described in IBM\xe2\x80\x99s audit program, obtained an understanding\nof IBM\xe2\x80\x99s methodologies and assumptions, attended key meetings, monitored progress\nthroughout the audit, and performed other appropriate procedures. In this manner, the OIG was\nable to assure itself that, except for the performance of an external peer review, IBM's audit work\ncomplied with generally accepted government auditing standards. IBM conducted its field work\nfrom October 2004 through June 2005.\n\n\n\n19\n   The FDIC\xe2\x80\x99s standard server-based operating system in the network environment is Microsoft Windows\xc2\xae 2000\n Advance Server. At the time of our audit, DIT was maintaining a limited number of servers operating the Windows\n NT\xc2\xae and Windows\xc2\xae 2003 operating systems.\n20\n   The manual provides guidance for reviewing information system controls (including software configuration\n management controls) that affect the integrity, confidentiality, and availability of computerized data.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General          I-15\n\n\n\nPrior Audit Coverage\nOn September 1, 2000, the OIG issued Audit Report No. 00-038 entitled, Audit of the\nInformation Technology Configuration Management Program. The report states that the then\nDivision of Information Resources Management (now DIT) was in the process of developing a\nplan to establish a formal IT configuration management program. The report discusses the\nsalient components of effective configuration management and recommends considering these\ncomponents in developing and implementing a formal configuration management program.\nFDIC management had taken action sufficient to close the recommendation.\nComputer-based Data, Performance Measures, and Illegal Acts\nIBM performed appropriate procedures to ensure that computer-based data were valid and\nreliable when those data were significant to the audit\xe2\x80\x99s findings and conclusions. Such\nprocedures included verifying selected automated data to source documentation and\ncorroborating automated data through interviews with appropriate DIT personnel. In addition,\nIBM evaluated whether DIT\xe2\x80\x99s configuration management performance metrics for operating\nsystem software were consistent with federal and industry guidance. Finally, IBM did not\ndevelop specific audit procedures to detect fraud and illegal acts because they were not\nconsidered material to the audit objective. However, throughout the audit, IBM was sensitive to\nthe potential of fraud, waste, abuse, and mismanagement.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                 I-16\n\n\n\nAPPENDIX B: ADDITIONAL INFORMATION ON THE CAPABILITY MATURITY\n            MODEL INTEGRATION\nThe CMMI combines a carefully chosen set of best practices based on experience in four bodies\nof knowledge (described in Table 2 below). Organizations from industry, government, and\nCarnegie Mellon University\xe2\x80\x99s SEI jointly developed the CMMI to provide organizations a\nmechanism to effectively appraise their process area capabilities, establish priorities, and\nimplement improvements.\n                               Table 2: CMMI Bodies of Knowledge\n Body of Knowledge             Description\n System Engineering            Covers the development of total systems, which may or may not\n                               include software. Systems engineers focus on transforming customers'\n                               needs, expectations, and constraints into products and supporting these\n                               products throughout their life cycle.\n Software                      Covers the development of software systems. Software engineers\n Engineering                   focus on applying systematic, disciplined, and quantifiable approaches\n                               to the development, operation, and maintenance of software.\n Integrated Product            Provides a systematic approach that achieves a timely collaboration of\n and Process                   relevant stakeholders throughout the life of a product to satisfy\n Development                   customers' needs, expectations, and requirements. The processes to\n                               support an Integrated Product and Process Development approach are\n                               integrated with the other processes in the organization.\n Supplier Sourcing             Covers the use of suppliers to perform functions or add modifications\n                               to products that are specifically needed by a project. Projects benefit\n                               from enhanced source analysis and monitoring supplier activities\n                               before product delivery.\n\n\nThe CMMI supports two representations: staged and continuous. The staged representation\nprovides a proven sequence of improvements, beginning with basic management practices and\nprogressing through a pre-defined and proven path of successive levels, each serving as a\nfoundation for the next. The staged representation permits comparisons across and among\norganizations by the use of overall, organization-wide maturity levels. The continuous\nrepresentation allows an organization to select the order of improvement that best meets its\nbusiness objectives and mitigates the organization\xe2\x80\x99s areas of risk. The continuous representation\nenables comparisons across and among organizations on a process-area-by-process-area basis,\nusing the six capability levels depicted in Table 3 on the next page. Both representations are\ndesigned to achieve essentially equivalent results.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                I-17\n\n\n\n                  Table 3: Capability Levels (Continuous Representation)\n                           Excerpts From the CMMI\n\n  Capability                                 Capability Level Description\n    Level\n        0         Incomplete. Reflects processes that are either not performed or partially\n                  performed.\n        1         Performed. Reflects processes that support and enable the work needed to\n                  produce identified work products.\n        2         Managed. Reflects processes that are planned and executed in accordance\n                  with policy, employ skilled people having adequate resources to produce\n                  controlled outputs, involve relevant stakeholders, are monitored, controlled,\n                  and reviewed, and are evaluated for adherence to its process description. A\n                  critical distinction between a performed process and a managed process is the\n                  extent to which the process is managed. A managed process is planned, and\n                  the performance of the process is managed against the plan. Corrective\n                  actions are taken when the actual results and performance deviate\n                  significantly from the plan.\n        3         Defined. Reflects managed processes that are tailored from the\n                  organization's set of standard processes according to the organization\xe2\x80\x99s\n                  tailoring guidelines and contributes work products, measures, and other\n                  process-improvement information to the organizational process assets. The\n                  organization\xe2\x80\x99s set of standard processes, which are the basis of the defined\n                  process, are established and improved over time.\n        4         Quantitatively Managed. Reflects processes that are controlled using\n                  statistical and other quantitative techniques. Quantitative objectives for\n                  quality and process performance are established and used as criteria in\n                  managing the process.\n        5         Optimizing. Reflects processes that are quantitatively managed and changed\n                  and adapted to meet relevant current and projected business objectives. An\n                  optimizing process focuses on continually improving process performance\n                  through both incremental and innovative technological improvements.\n                  Process improvements that would address root causes of process variation\n                  and measurably improve the organization\xe2\x80\x99s processes are identified,\n                  evaluated, and deployed as appropriate.\n\n\nIBM used the CMMI Version 1.1 for Systems Engineering, Software Engineering, Integrated\nProduct and Process Development, and Supplier Sourcing (Continuous Representation), dated\nMarch 2002, (CMMI-SE/SW/IPPD/SS, V1.1) as a key criterion for conducting the audit because\nthe CMMI defines generally accepted software configuration management principles, and DIT\nhas embraced the CMMI as a means of achieving IT process improvement.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General            I-18\n\n\n\nAPPENDIX C: LAWS AND REGULATIONS\nBelow are the key statutes, regulations, standards, and guidelines that were considered during the\naudit. Statutory and regulatory sources may not be legally binding on the FDIC; see individual\nreferences for further information.\nFederal Information Security Management Act (FISMA), title III, E-Government Act\nof 2002, Pub. L. No. 107-347, dated December 17, 2002\nhttp://www.cio.gov/archive/e_gov_act_2002.pdf\nEnacted as part of the E-Government Act of 2002, FISMA permanently re-authorized and\nstrengthened the information security program, evaluation, and reporting requirements\nestablished by the Government Information Security Reform Act (GISRA), which expired in\nNovember 2002. FISMA provides a comprehensive framework for ensuring the effectiveness of\ninformation security controls over information resources supporting federal operations and\nassets. Among its provisions, FISMA requires federal agencies to establish and implement\nminimally acceptable configuration requirements for their information systems; see section\n301(b). For purposes of that section, the FDIC is considered an agency and is, therefore, subject\nto its provisions.\nOMB Circular No. A-130, Management of Federal Information Resources (Transmittal\nMemorandum No. 4) Appendix III, Security of Federal Automated Information Resources,\ndated November 2000 (OMB A-130, Appendix III)\nhttp://www.whitehouse.gov/omb/circulars/a130/a130appendix_iii.html\nOMB A-130, Appendix III, establishes minimum controls for federal automated information\nsecurity programs. The FDIC\xe2\x80\x99s Legal Division has opined that portions of the circular apply to\nthe FDIC, while other portions do not apply. The Legal Division specifically opined that\nAppendix III of the circular legally requires the FDIC to implement and maintain an information\nsecurity program consistent with government-wide policies, standards, and procedures issued by\nthe OMB and the U.S. Department of Commerce.\nNIST Special Publication (SP) 800-53, Recommended Security Controls for Federal\nInformation Systems, dated February 2005\nhttp://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf\nThe publication defines minimum recommended security controls for non-national security\nfederal information systems based on the impact levels defined in NIST Federal Information\nProcessing Standard (FIPS) 199, Standards for Security Categorization of Federal Information\nand Information Systems. NIST SP 800-53 provides guidelines for selecting and specifying\nminimum security controls for federal information systems until the publication of FIPS 200,\nMinimum Security Requirements for Federal Information and Information Systems (projected for\npublication December 2005). The guidelines have been developed to help achieve more secure\nsystems within the federal government. NIST SPs are, by their own terms, guidelines (rather\nthan mandatory requirements) for agencies in implementing their IT operations.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General         I-19\n\n\n\nAPPENDIX D: ACRONYMS\n\n       Acronyms                                                Definition\n CIO                        Chief Information Officer\n CMMI                       Capability Maturity Model Integration\n DIT                        Division of Information Technology\n FCMS                       FDIC Change Management System\n FDIC                       Federal Deposit Insurance Corporation\n FISMA                      Federal Information Security Management Act\n IBM                        International Business Machines Business Consulting Services\n IS                         Infrastructure Services\n IT                         Information Technology\n NIST                       National Institute of Standards and Technology\n OIG                        Office of Inspector General\n OMB                        Office of Management and Budget\n POA&M                      Plan of Action & Milestones\n SEI                        Software Engineering Institute\n SMS                        Systems Management Server\n SP                         Special Publication\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                    I-20\n\n\n\nAPPENDIX E: GLOSSARY OF TERMS\n\n             Term                                                   Definition\n\n Accreditation                     Security accreditation is the official management decision given\n                                   by a senior agency official to authorize operation of an\n                                   information system and to explicitly accept the risk to agency\n                                   operations, agency assets, or individuals based on the\n                                   implementation of an agreed-upon set of security controls.\n\n Baseline                          A set of configuration items that has been reviewed and agreed\n                                   upon and, thereafter, serves as the basis for future management,\n                                   development, or maintenance.\n\n Build Procedures                  Automated and documented procedures used for installing\n                                   operating system software on servers and desktops.\n\n Capability Level                  A capability level consists of related specific and generic\n                                   practices for a process area that can improve the organization\xe2\x80\x99s\n                                   processes associated with that process area.\n\n Certification                     Certification is a comprehensive assessment of the management,\n                                   operational, and technical security controls in an information\n                                   system, made in support of security accreditation, to determine\n                                   the extent to which the controls are implemented correctly,\n                                   operating as intended, and producing the desired outcome with\n                                   respect to meeting the security requirements for the system.\n\n Configuration                     An element of configuration management consisting of the\n Accounting                        recording and reporting of information needed to manage a\n                                   configuration effectively.\n\n Configuration Audit               A self-assessment conducted to verify that a configuration item\n                                   conforms to a specified standard or requirement.\n\n Configuration Control             An element of configuration management consisting of the\n                                   evaluation, coordination, approval or disapproval, and\n                                   implementation of changes to configuration items following\n                                   configuration identification.\n\n Configuration                     An element of configuration management consisting of selecting\n Identification                    configuration items for a product, assigning unique identifiers to\n                                   them, and recording their functional and physical characteristics\n                                   in technical documentation.\n\n Configuration Item                An aggregation of work products designated for configuration\n                                   management and treated as a single entity in the configuration\n                                   management process.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                     I-21\n\n\n\n             Term                                                   Definition\n\n General Support System            An interconnected set of information resources under the same\n                                   direct management control. This system normally includes\n                                   hardware, software, information, data, applications,\n                                   communications, and people.\n\n National Institute of             A non-regulatory federal agency within the U.S. Department of\n Standards and                     Commerce\xe2\x80\x99s Technology Administration. NIST publishes\n Technology                        technical, physical, administrative, and management standards\n                                   and guidelines for the cost-effective security and privacy of\n                                   sensitive, but unclassified, information in federal computer\n                                   systems.\n\n Plan of Action and                A plan of action and milestones (POA&M), sometimes referred\n Milestones                        to as a corrective action plan, is a tool that identifies tasks to be\n                                   accomplished. It details resources required to accomplish the\n                                   elements of the plan, milestones in meeting the task, and\n                                   scheduled completion dates for the milestones. POA&Ms assist\n                                   management in identifying, assessing, prioritizing, and\n                                   monitoring the progress of corrective efforts for weaknesses\n                                   identified in programs and systems.\n\n Roll-back Plan                    A documented plan (sometimes called a \xe2\x80\x9cback-out plan\xe2\x80\x9d) that\n                                   describes the system recovery steps to be followed should a\n                                   configuration change cause an unexpected, negative effect on an\n                                   organization\xe2\x80\x99s IT operations.\n\n Security Vulnerability            A flaw or weakness in the design or implementation of an\n                                   information system (including the security procedures and\n                                   security controls associated with the system) that could be\n                                   intentionally or unintentionally exploited to adversely affect an\n                                   organization\xe2\x80\x99s operations or assets through a loss of\n                                   confidentiality, integrity, or availability.\n\n Software Configuration            The technical and administrative processes of identifying,\n Management                        documenting, and maintaining configuration item integrity;\n                                   controlling configuration item changes; recording and reporting\n                                   on configuration item change status; and verifying compliance\n                                   with policy.\n\n Work Product                      An artifact produced by a process, such as server and desktop\n                                   build procedures, ghost imaging procedures, software image files,\n                                   system inventories, and other files, documents, services,\n                                   processes, and specifications.\n\x0c                Part II\n\nCorporation Comments and OIG Evaluation\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General               II-1\n\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\n\nThe report contains five recommendations directed to the CIO. The CIO\xe2\x80\x99s response to the draft\nreport is presented in its entirety, beginning on page II-6. DIT concurred with two of the report\xe2\x80\x99s\nrecommendations, and partially concurred with the remaining three recommendations. Based on\nthe CIO\xe2\x80\x99s response, the five report recommendations are considered resolved but will remain\nundispositioned and open until we have determined that agreed-to corrective actions have been\ncompleted and are effective. The CIO\xe2\x80\x99s responses for each of the report\xe2\x80\x99s recommendations are\nsummarized below along with our evaluation of the responses.\n\n\nRecommendation 1: The CIO should establish a policy that takes an enterprise approach\nto defining the roles, responsibilities, and overall principles and management expectations\nfor performing configuration management on operating system software. The policy\nshould address requirements for developing and maintaining configuration management\nplans and performing periodic self-assessments of configuration management processes\nand practices.\n\n\nDIT Response: DIT partially concurs with the recommendation. DIT does not believe that a\nsingle policy covering all types of software is necessarily the best approach. However, DIT\nagrees to review its policies to determine how to effectively cover configuration management of\nthe various operating systems and will develop appropriate modifications to existing policies or a\nnew policy, as required, to meet the intent of the recommendation. The new and/or revised\npolicy will be established from a high-level, enterprise approach that will address requirements\nfor configuration management plans and periodic self-assessments.\n\n\nOIG Evaluation of Response: DIT\xe2\x80\x99s response meets the intent of our recommendation. The\nrecommendation is resolved but will remain undispositioned and open until we have determined\nthat agreed-to corrective action has been completed and is effective.\n\n\nRecommendation 2: The CIO should develop configuration management plan(s) covering\nthe four operating system software platforms addressed in this report consistent with\nfederal standards and guidelines and industry-accepted practices. DIT should determine\nwhether other operating system software platforms require configuration management\nplan(s) and develop such plans where appropriate.\nDIT Response: DIT concurs with the recommendation. DIT will incorporate current server\nconfiguration procedures and practices into configuration management plans consistent with\nfederal standards and guidelines for the four operating systems covered by the audit. DIT will\nalso determine whether other operating system software platforms require configuration\nmanagement plan(s) and develop such plans as appropriate.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General              II-2\n\n\n\n\nOIG Evaluation of Response: The recommendation is resolved but will remain\nundispositioned and open until we have determined that agreed-to corrective action has been\ncompleted and is effective.\n\n\nRecommendation 3: The CIO should ensure that the certification and accreditation of the\nFDIC\xe2\x80\x99s general support systems incorporate an evaluation and testing of the FDIC\xe2\x80\x99s\nconfiguration management policy and plans referenced in recommendations 1 and 2 of this\nreport.\nDIT Response: DIT partially concurs with the recommendation. DIT stated that the FDIC\xe2\x80\x99s\nsecurity test and evaluation (ST&E) process, a component of the certification and accreditation\n(C&A) program, evaluates configuration management policies, procedures, and plans for\ncompliance with NIST guidance and industry best practices. Once the new configuration\nmanagement policy and plans are developed, DIT agrees to include evaluation and testing of the\npolicy and plans in future C&A cycles.\n\n\nOIG Evaluation of Response: DIT\xe2\x80\x99s response meets the intent of the recommendation. The\nrecommendation is resolved but will remain undispositioned and open until we have determined\nthat agreed-to corrective action has been completed and is effective.\n\n\nRecommendation 4: The CIO should document the minimum required configuration\nsettings for the Windows\xc2\xae server and desktop operating system platforms and develop\nprocedures to ensure that changes to baseline configuration settings are documented.\nDIT Response: DIT partially concurs with the recommendation. DIT indicated that it has\nseveral processes to document required configuration settings for Windows\xc2\xae servers and desktop\noperating systems, including server build procedures. However, DIT agrees to review its current\nprocedures to ensure that standard baseline configurations and approved exceptions to\nconfiguration settings are fully documented. DIT will also re-emphasize compliance with\noperational procedures established to ensure that server and desktop build procedures are\nconsistently applied for each operating system. Additionally, DIT will evaluate the feasibility of\nadopting automated tool(s) that can facilitate periodic review of configuration settings to monitor\ncompliance with build standards.\nOIG Evaluation of Response: DIT\xe2\x80\x99s response meets the intent of the recommendation. The\nrecommendation is resolved but will remain undispositioned and open until we have determined\nthat agreed-to corrective action has been completed and is effective.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General            II-3\n\n\n\nRecommendation 5: The CIO should standardize and integrate the recording, tracking,\nand reporting of operating system software configuration changes to the maximum extent\npractical. As part of this effort, DIT should consider using automated mechanisms to\nimprove performance metric reporting for configuration changes from a system-specific\nand enterprise perspective.\nDIT Response: DIT concurs with the recommendation. DIT stated that it has been working to\nstandardize a single system for tracking and documenting configuration changes and improving\nperformance metric reporting.\nOIG Evaluation of Response: The recommendation is resolved but will remain\nundispositioned and open until we have determined that agreed-to corrective action has been\ncompleted and is effective.\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                                 II-4\n\n\n\n                      MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\nThis table presents the management response on the recommendations in our report and the status of the recommendations as of the date of\nreport issuance.\n\n                                                                                                                                 Open\n  Rec.                                                                   Expected      Monetary   Resolved:a   Dispositioned:b     or\n                                                                                                  Yes or No      Yes or No\nNumber      Corrective Action: Taken or Planned/Status              Completion Date    Benefits                                  Closedc\n    1       DIT will modify existing policies or develop a\n            new policy that addresses configuration\n            management principles from a high-level,\n            enterprise approach and that addresses\n            requirements for configuration management              November 30, 2005     N/A         Yes             No           Open\n            plans and periodic self-assessments.\n    2       DIT will incorporate operating system software\n            configuration management procedures and\n            practices into configuration management plans             March 15, 2006     N/A         Yes             No           Open\n            consistent with federal standards and guidelines.\n    3       DIT will include new configuration\n            management policies and plans in future\n            certification and accreditation cycles.                    June 30, 2006     N/A         Yes             No           Open\n\n    4       DIT will (1) review its current procedures to\n            ensure that standard baseline configurations and\n            approved exceptions to configuration settings\n            are fully documented, (2) re-emphasize\n            compliance with operational procedures for\n            ensuring server and desktop build procedures\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General                                                                           II-5\n\n\n\n               are consistently applied for each operating\n               system, and (3) evaluate the feasibility of\n               adopting automated tool(s) that can facilitate\n               periodic review of configuration settings to                April 15, 2006             N/A            Yes                 No                  Open\n               monitor compliance with build standards.\n\n\n\n\n                                                                                                                                                             Open\n     Rec.                                                                     Expected            Monetary       Resolved:a      Dispositioned:b               or\n                                                                                                                 Yes or No         Yes or No\nNumber          Corrective Action: Taken or Planned/Status               Completion Date           Benefits                                                 Closedc\n       5       DIT will standardize a single system for\n               tracking and documenting configuration\n               changes and improving performance metric                   August 31, 2006             N/A            Yes                 No                  Open\n               reporting.\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n             (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n                  management provides an amount.\n\nb\n    Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through\n    implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\n    recommendation.\n\nc\n    Once the OIG dispositions the recommendation, it can then be closed.\n\x0cDIVISION OF INFORMATION TECHNOLOGY COMMENTS\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General   I-7\n\x0cFDIC\xe2\x80\x99s IT Configuration Management Controls Over Operating System Software\nPrepared for the Federal Deposit Insurance Corporation Office of Inspector General   I-8\n\x0c"